The Washington PostDemocracy Dies in Darkness

2 experts used email headers to determine veracity

Placeholder while article actions load

The Washington Post asked two computer security experts to review a portable hard drive that purportedly contained data from Hunter Biden’s MacBook Pro computer. The Post obtained the drive last year from a conservative political researcher who had once worked for former Donald Trump adviser Stephen K. Bannon.

The Post asked the two experts, Matt Green, a Johns Hopkins University cryptologist, and Jake Williams, a faculty member for the information security research group IANS, to determine if the information on the drive was authentic.

Hunter Biden’s laptop has been the subject of intense debate since October 2020, when the New York Post first published accusations that the laptop contained information suggesting that Biden’s business deals had also enriched his father, now President Biden. Republicans have hailed the laptop as evidence of wrongdoing, while Democrats have suggested it had been manipulated and may have included misinformation planted by the Russian government.

The examinations of the portable drive by Green and Williams were largely inconclusive. Both researchers, who worked independently of each other, determined that the data contained on the drive was so compromised by a variety of factors that definitive conclusions about most of its contents were impossible.

But they did agree that nearly 22,000 emails contained on the portable drive were authentic — meaning they contained cryptographic signatures that indicated they came from the accounts that they claimed to be from and had not been manipulated in some way.

This was determined by examining what’s known as the headers of the emails. Headers are rarely visible to people reading their emails, but they contain what is known as metadata that includes information about an email’s sending account, its recipient and its path through the Internet. In some cases, headers also include a series of letters and numbers that appear unintelligible but, in fact, are cryptographic signatures that can be used to verify an email’s sender and contents.

Green and Williams between them were able to use cryptographic signatures to verify 22,000 emails out of the nearly 129,000 on the portable drive.

They also agreed that they found no clear evidence that data on the hard drive had been tampered with, but said that it was difficult to reach a conclusion on the data on the drive as a whole. The ability to verify it, they said, was undermined by the fact the hard drive had been handled over the years in a manner that damaged some key files, making them unusable for the purposes of forensic examination. As Williams noted in his technical report, “several key pieces of evidence useful in discovering tampering were not available.”

In writing about the emails on the drive, The Post applied a two-part test. One was whether the emails could be cryptographically verified by the experts. The other was whether there was outside information confirming the validity of the emails.

For example, like other news organizations, The Post received records from the Swedish government that confirmed emails related to office space that Hunter Biden rented. In other cases, The Post relied on bank documents acquired by Senate investigators that confirmed the substance of email traffic and financial documents on the drive. The Post also confirmed emails with other recipients.